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Abstract — We consider the random linear precoder at the 
source node as a secure network coding. We prove that it is 
strongly secure in the sense of Harada and Yamamoto |22| 
and universal secure in the sense of Silva and Kschischang 
1 31 1, 1 32 1, while allowing arbitrary small but nonzero mutual 
information to the eavesdropper. Our security proof allows 
statistically dependent and non-uniform multiple secret messages, 
while all previous constructions of weakly or strongly secure 
network coding assumed independent and uniform messages, 
which are difficult to be ensured in practice. 

Index Terms — information theoretic security, network coding, 
secure multiplex coding, strongly secure network coding 

I. Introduction 

Network coding [1] attracts much attention recently because 
it can offer improvements in several metrics, such as through- 
put and energy consumption, see 1 19 1, |20|. On the other hand, 
the information theoretic security (6), ||28| also attracts much 
attention because it offers security that does not depend on a 
conjectured difficulty of some computational problem. 

A juncture of the network coding and the information 
theoretic security is the secure network coding ||9], lfl2ll . 
which prevents an eavesdropper, called Eve, from knowing 
the message from the legitimate sender, called Alice, to the 
multiple legitimate receivers by eavesdropping intermediate 
links up to a specified number in a network. It can be seen 
03), lfl6l as a network coding counterpart of the traditional 
wiretap channel coding problem considered by Wyner 04l 
and subsequently others (28). In both secure network coding 
and coding for wiretap channels, the secrecy is realized by 
including random bits into the transmitted signal by Alice 
so that the secret message becomes ambiguous to Eve. The 
inclusion of random bits, of course, decreases the information 
rate. In order to get rid of the decrease in the information rate, 
Yamamoto et al. (25 1 proposed the secure multiplex coding for 
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wiretap channels, in which there is no loss of information rate. 
The idea of Yamamoto et al. is as follows: Suppose that Alice 
has T statistically independent messages Si, St- Then 
Si, Sj-_i, S,- + i, St serve as the random bits making 
Si ambiguous to Eve, for each i. 

Independently and simultaneously, Bhattad and Narayanan 
OJ proposed the weakly secure network coding based on 
the same idea as [25], whose goal is also to get rid of the 
loss of information rate in the secure network coding. Their 
method OJ ensures that the mutual information between S, 
and Eve's information is zero for each i. Recall that Eve's 
knowledge on secret information S; is usually measured by 
the mutual information in the information theoretic security 
0, [28 1 . As drawbacks, the construction depends on the 
network topology and coding at intermediate nodes, and the 
computational complexity of code construction is large. 

Harada and Yamamoto [22] defined a stronger security 
requirement on the weakly secure network coding, which will 
be reviewed later, and called it as the strongly secure network 
coding. Then they showed its construction procedure. As OJ, 
the construction depends on the network topology and coding 
at intermediate nodes, and the computational complexity of 
code construction is large. 

In order to remove these drawbacks, Silva and Kschischang 
OTI proposed the universal weakly secure network coding, 
in which they showed an efficient code construction that can 
support up to two F f/ -symbols in each S, and is independent of 
the network topology and coding at intermediate nodes, where 
Fg denotes the finite field with q elements throughout this 
paper. The independence of coding at the source node from 
network topology and coding at intermediate nodes is termed 
universal by Silva and Kschischang in OTI . P2l . They OTI 
also showed the existence of universal weakly secure network 
coding with more than two F f/ -symbols in S,, but have not 
shown an explicit construction. 

Cai Q removed most of drawbacks mentioned earlier. Cai 
proved that random linear network coding ll24ll gives the 
strongly secure network coding in the sense of [22] with 
arbitrarily high probability with sufficiently large finite fields. 
However, he did not provide evaluation of the required field 
size, and it seems huge. Moreover, for some applications (e.g. 
ifTOl . P6l ) we want to choose coding at intermediate nodes in 
non-random fashion. 

There exists a common difficulty in all the previous con- 
structions reviewed above. In practice, we are not sure if the 
multiple messages are uniform and statistically independent. 
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However, all the previous studies^ assumed the uniformity and 
the independence, and without both of them their security 
proofs do not seem to hold. It is important to provide a 
security proof for weakly and strongly secure network coding 
without uniformity or independence assumption. On the other 
hand, non-uniformity of secret messages has been considered 
in the ordinary secure network coding IfTTI . ||37l (see also 
the survey [8)). In (8), flj], (37], the randomness to hide a 
secret message was assumed to be statistically independent of 
the secret message, while our present study allows it to be 
statistically dependent. 

We shall analyze the security of a slightly modified con- 
struction of the random linear precoder originally proposed 
in ||9)- Our modified construction is strongly secure in the 
sense of 11221 and universal secure in the sense of IBTI , [321 . 
Uniformity and the independence assumptions are required in 
previous works to guarantee security. This paper relaxed the 
assumptions and aims to determine the amount of information 
leakage if the two conditions are not satisfied. The optimality 
of our modified construction is verified under the uniformity 
and independence assumption at the end of Remark [8] 

However, we relax an aspect of the security requirements 
traditionally used in the secure network coding. In previous 
proposals of secure network coding Q, (9), 11221 . [31 1, [32| 
it is required that the mutual information to the eavesdrop- 
per is exactly zero. We relax this requirement by regarding 
sufficiently small mutual information to be acceptable. This 
relaxation is similar to requiring the decoding error probability 
to be sufficiently small instead of strictly zero. Also observe 
that our relaxed criterion is much stronger than one commonly 
used in the information theoretic security [28 1. Our modified 
construction can realize arbitrary small mutual information 
if coding over sufficiently many symbols in single packet is 
allowed. We stress that the problem of secure network coding 
is a generalization of the secret sharing[4|, [ 33 1 and the former 
problem cannot be solved as the latter, as clearly observed in, 
e.g. (8), fl2l . Because we have to show the security under 
much more eavesdropper's choices in secure network coding 
that that in secret sharing scheme, as is explained at the end 
of Subsection IIII-CI 

This paper is organized as follows: Section HI] reviews 
related results used in this paper. Section |nl] introduces the 
strengthened version of the privacy amplification theorem and 
the proposed scheme for secure network coding. Section [IV] 
concludes the paper. 

Part of this paper was reported as earlier proceedings papers 
[29 1, [30]. We substantially rewrote our security proof in [30 1 
so that we can analyze the security with dependent and non- 
uniform multiple secret messages, which was not done in 1 30 1 . 
We borrowed ideas from 11291 Section IV] and extended them 
in Appendix |B] so that we can prove Lemma \5\ 



'Cai considered arbitrary probability distribution in |7 Theorem 3.2] 
but assumed uniformity and independence for his study of the strongly secure 
network coding in [7. Section IV]. 



II. Preliminary 

A. Model of network and network coding and two-universal 
hash functions 

As in 0, 0, EG), E2, ED, Ell we consider the single 
source multicast, and assume the linear network coding |26l . 
11271 . The source node is assumed to have at least n outgoing 
links. For i = 1, n, the source node generates a packet 
Pi consisting of m symbols in F 9 , and transmits an F q - 
linear combination of Pi, P n to each outgoing link, as 
explained in lfl8l Section 2.1]. At an intermediate node, only 
packets generated at the same time by the source node are 
linearly combined, as explained in [18, Section 2.5]. The linear 
combination coefficients at each node are fixed so that all the 
legitimate receivers can decode n packets P\, . . ., P n from the 
source node. 

If the random linear network coding ll24l is employed, we 
have to also include so-called encoding vectors in each packet 
Pi lfl8l Section 2.2]. We ignore those encoding vectors because 
they do not carry secret information. 

Hereafter, we shall only consider the eavesdropper Eve and 
forget about the multiple legitimate receivers. The n packets 
Pi, . . . , P n carry in total mn symbols in F f/ . We shall propose 
a method encoding secret information into mn symbols by 
the source node. The mn symbols obtained by the proposed 
method are distributed to packets Pi, . . . , P„. 

Eve can eavesdrop fi links. We assume fi < n throughout 
this paper. The total number of eavesdropped symbols is 
therefore mfx. The set of /u eavesdropped links is assumed 
to be fixed during packets P\, P n are traveling on the 
network, as assumed in OTl . 11321 . The situation considered 
here also includes the conventional store-and-forward network 
as a special case. 

We shall use a family of two-universal hash functions lfT3l 
for the privacy amplification theorem introduced later. 

Definition 1: Let T be a set of functions from a finite set 
S\ to another finite set S2, and F a random variable on T ■ If 
for any x\ + X2 e S\ we have 

Pv[F( Xl ) = F(x 2 )] < -i-, (1) 

then T with the probability distribution of F is said to be a 
family of two-universal hash functions. 

B. Security definitions 

Definition 2 (Strongly secure network coding): 12211 Let 
m — 1, and Si, St e F 9 be messages with T < n. We 
denote by SV+i, S„ e F 9 randomness not intended as 
messages. A network coding is said to be 77-strongly secure 
if the following relation holds for any < fj. < n. When 
Eve's observation Z is obtained by eavesdropping fj. links, 
any I c [1, . . . , T} with fi - r\ < T — \I\ satisfies 

I(S T ;Z) =0, 

where Sj = [S , ■ : i 6 I] and I(Sj;Z) denotes their mutual 
information as defined in lfT4l . 
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The parameter 77 is equivalent to k in [22|. Harada and 
Yamamoto Il22l showed a procedure to construct (n - T)- 
strongly secure network coding under the uniformity and 
independence assumption on the messages Si, . . . , S„. 

We want to consider the universal security studied in OTI . 
1 32 1, and also want to use multiple symbols in a single packet 
Pi, that is, m > 1. So we introduce our version of universal 
strong security, by following the approach initiated by Silva 
and Kschischang 1311, Il32l. 

Definition 3: Assume that we are given a linear network 
coding for single source multicast. Assume also that linear 
coding at intermediate nodes and the set of p eavesdropped 
links are fixed when packets P\, . . . , P„ travel from the source 
node to all the legitimate receivers. Suppose that we have T + l 
messages Si, . . . , St+i and Sj e F*\ St+i denotes randomness 
not intended as a message. We assume Yj=i h = mn - A linear 
transformation of Si, . . ., Sr+i at the source node is said to be 
a universal 77-strongly secure network coding if the following 
relation holds for all linear coding at intermediate nodes and 
for any < p < n. When Eve's observation Z corresponds to p 
eavesdropped links, any subset I c {1, . . . , T] with m(p-rf) < 
Yj\<i<T+i,itih satisfies 

I(S T ;Z) = 0, (2) 

where Sj = [S; : i e I]. 

III. Universal strongly secure network coding 

A. Strengthened privacy amplification theorem 

In order to evaluate the mutual information to Eve when 
the sum rate of multiple secret information is large, we need 
to strengthen the privacy amplification theorem originally 
appeared in Q, ll23l as follows. The following proposition 
is a slightly enhanced version of J30l Theorem 2]. 

Proposition 4: Let A\ and A2 be discrete random variables 
on finite sets yii and respectively, and T a family of 
functions from J[\ to 3b,. Let F be a random variable on 
T . Assume that A\ and F are conditionally independent given 
A2, and that for any fixed realization «2 of A2, the conditional 
probability distribution of F given «2 satisfies the condition 
for a family of two-universal hash functions. Then we have 

E f [exv(pI(F(A0;A 2 \F = /))] < 1 + \M 3 mP Al \ A2 (Ai\A 2 f] 

(3) 

for all < p < 1, where Ey[-] denotes the expectation of ■ with 
/ being the random variable. We use the natural logarithm for 
all the logarithms in this paper, which include ones implicitly 
appearing in entropy and mutual information. Otherwise we 
have to adjust the above inequality. 

Proof: Proof is given in Appendix [A] ■ 
In our analysis of the security, we shall use Proposition 0] 
with A] being the whole secret message, A2 being part of the 
secret message whose secrecy we analyze, and F(Ai) being 
Eve's observation. 

B. Description of the proposed scheme and analysis with 
randomized coding 

The purpose of this section is to provide a universal 
(£;r + i/ra-<5p)-strongly secure network coding in a slightly mod- 
ified sense of Definition [3] where S p is a parameter measuring 



conditional non-uniformity to be defined in Eq. (TT2l) . The 
modified sense means that the zero mutual information in Eq. 
(f2]i is relaxed to the requirement that it can be made arbitrarily 
small. For this purpose, in this subsection, we treat the coding 
scheme with randomized coding. We assume that we have T 
secret messages, which can be dependent or non-uniform, and 
that the z'-th secret message is given as a random variable S; 
whose realization is a row vector in F%. We shall provide 
upper bounds on the information leaked to Eve for all choices 
of values of We shall also use a supplementary random 
message S7+1 taking values in F* r+1 when the randomness in 
the encoder is insufficient to make S, secret from Eve. By S 
we denote the entire collection (Si, S7+1) of messages. 
We assume mn = k\ + • • • + kj+i. 

Let _£ be the set of all bijective F 9 -linear maps from 
Jo' t° itself, and L the uniform random variable on £ 
statistically independent of S — (S \, . . . , St+i), and arbitrary 
fix nonempty I C {1, . . . , T}. The source node store LS' into 
packets Pi, . . . , P„ defined in Section Hl-AI and send them via 
its n outgoing links, where t denotes the transpose of a vector. 
Our modified construction just attaches a bijective linear 
function to an existing network coding. Note that attaching a 
random linear function was first proposed in [9] for the secure 
network coding. This coding scheme is illustrated in Fig. Q] 

The legitimate sender and all the legitimate receivers agree 
on the choice of L. The eavesdropper Eve may also know 
their choice of L. Choice of L is part of protocol specification, 
the chosen L is repeatedly used, and agreement on its choice 
among legitimate sender and receivers is not counted as 
consumption of the network bandwidth. A legitimate receiver 
can recover Si, St, St+i by multiplying L l to his/her 
received information. By the assumption on Eve, her informa- 
tion can be expressed as BLS ' by using an mp x mn matrix B 
over F q as in ED, l32l . 

For the nonempty I c {1, . . . , T}, denote the collection of 
random variables [S, : i e I] by Sj, denote [S,- : i 6 {1, . . . , 
T + 1} \ I] by Sj, and let k T = 2, e j h 

For a fixed realization I of L, the information gained by 
Eve is measured by the mutual information l(S r, BLS'\L = €) 
as a common practice in the information theoretic security 
ID, EH). Since its average E C [I(S T ; BLS'\L = £)] is the 
conditional mutual information I(S j; BLS'\L) [14|, we will 
upper bound I(S j; BLS'\L). After upper bounding the average 
I(S i;BLS'\L) in Eq. (O, we can ensure that for most choices 
of I and all possible B, I{S r, BLS'\L = I) is small, as done in 
Eq. (HB- 

In order to use Proposition |U we introduce a lemma. 

Lemma 5: For fixed B, the family of mapping S h-> BLS' 
is a family of two-universal hash functions to the rank(fi)- 
dimensional F f/ -linear space. 

Proof: See Appendix iBl ■ 

We can upper bound I(S j; BLS'\L) as follows, by applying 
Proposition E] with Ai = S, A 2 = Sj, and F(Ai) = BLS'. 
Observe that the assumption in Proposition |4] holds because 
Sj is part of S and L is independent of S . 

E ( [exp(pKSr,BLS'\L = {))] 
< 1 + q "'P^ ak ^E[P slSl (S \S T ) P ] 
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Fig. 1. Proposed coding scheme for the universal strongly secure network coding 
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= l+<? mpxrank(B) E[P s _| Sj (5 7 |5jy] 

< l+q"WE[P STlSl (Sj\S T n 

From Eq. (O we have 

pI{Sr,BLS'\L) 

= lnexp(p/(S 7 ;5LS'|L)) 

< lnE f [exp(p/(S j; BLS'\L = €))] 

< q'^nPs^AS^SiYl (5) 

Fix a real number C\ > 1. Equation <(5j and the Markov 
inequality yield that 

Pr[^e£j,i] < 1/Ci 

for any single nonempty I c {1, T], where _£j,i := [I \ 
I(Sj;BLS'\L = €)> CiE e [I(S T ;BLS'\L = £)]}■ Thus,' 

Pr[^€Uj : j^j,i] <(2 r -l)/Ci. 

This means that there is at least a probability of 1 -(2 T - 1)/Ci 
such that a realization I of L satisfies 

I(S T ;BLS'\L = i) 
<C l E { [I(Sr,BLS'\L = 0] 
< C iq "' p "E[P ST] sASj\Sir]/p (6) 

for all the (2 r - 1) nonempty subsets I of {1, T}. 
Defining another subset £j, 2 := K I exp(p/(5 j; BLS f |L = 0) > 
dEdexpipliS T ; BLS'\L = ())}), by Eq. © and the Markov 
inequality we obtain 

Pr[£ e U J:J#0 (£t,i U Xj, 2 )] < 2(2 r - l)/d. 

Therefore, a realization i of L satisfies both Eq. (0 and 

^{pHSj-BLSM = 0) < Q(l +q mp ' i E[P s ^ Sl {S 1 \S I y]). 
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with probability at least 1 - 2 x (2 T - \)/C\. 
Equation (O implies 

I(S I ;BLS'\L = £) 



m 



1 



= -lnexp/(5j;BL5'|L = i) 
m 

< l!l£i + J_ in(i + ^E[P s#J (5 r |5j)"]) (by Eq. ©) 



InCi 
< + 

mp 



filnq + 



l+\nE[Ps TlSl (Sj\Siri 



mp 



where in Eq. ^ we used ln(l + exp(x)) < |1 + x\ + = max{0, 
1+4. 

Summarizing the preceding discussion, we have the follow- 
ing theorem. 

Theorem 6: Recall that the eavesdropping mfxxmn matrix B 
is fixed, that L is the uniform random variable on £ statistically 
independent of S = (Si, S7+1), and that a real number 
C\ > 1 is arbitrarily fixed. There is at least a probability of 
l-2x(2 r -l)/Ci such that information leakage I(Sr, BLS'\L = 
t) to Eve with the chosen realization I of L satisfies both 
inequalities (|6]l and ([8]) simultaneously. 

C. Evaluation of the number of different kinds of eavesdrop- 
ping 

In the following, we considered the case when the matrix 
B corresponds to fi eavesdropped links. Such a case can be 
mathematically formulated as follows. Let x,j e E q be the j- 
th symbol in the z'-th packet P, defined in Section IH-AI Then 
there exists a p x n matrix B^ xn such that what are observed 
by Eve at the y'-th symbols in her eavesdropped p packets is 
expressed as B MXn (xij, x„j)' for j = 1, m. Without 
loss of generality we may assume rank^^x,,) = p because if 
rank(B /iX „) - p' < p then such a case can be regarded as only 
p! links being eavesdropped. Then, the mp x mn matri)Jl B is 
completely determined by B^ xn . 

In order to show the universal security in Definition [3] we 
need to ensure that the mutual information is small for any B 
and any < p < n. For this purpose, we need to count the 
number of different kinds of eavesdropping, which is much 
larger than that in the secret sharing scheme 0, 1551 . 

We consider the set S(p) of all possible mp x mn matri- 
ces B that characterize Eve's eavesdropping with the above 
restriction. Then, we define an equivalence relation ~ on S(p) 
as Bj ~ B2 for B\,Bi e S(p) if there exists an invertible 
function / such that f(BiLS') = B 2 LS' for all L and S'. That 
is, B\ ~ B2 if and only if the kernel of B\ is the same as that 
of Z?2- Since B\ and B2 are determined by p x n matrixes, the 
space S(p)/ ~ is the set of the (n - jt/)-dimensional subspaces 
in F'q. The space is called Grassmannian and the number is 
evaluated in the following way ifTTl 



" _ d> ~ 1 - n q " 11+1 ~ 1 

" 1_ U 9-1 



(8) 



-Mathematically, the m/i X mn matrix 6 is written as 



5 



0-1 



9 



Qi+D- 

< q 4 



(9) 



i=0 



because (x - z)/(y - z) is monotone increasing concerning z 
when x > y > z > 0. The final inequality follows from 
the inequality y/(x(n- fj. + 1) < = 2±i. Hence, the 

total number of equivalence classes excluding B(Q) is upper 
bounded as 



2 



n<7 



(10) 



M=l 



Conversely, in order to compare the number of kinds of 
information leakage with the secret sharing scheme, we check 
the tightness of evaluation (O, i.e., we show the opposite 
inequality. Since (x - z)/(y - z) > x/y holds for x > y > z > 0, 



M-l 

n 

i=0 



q — q 



Fl- 



That is, when is fixed, the number of possible kinds of in- 
formation leakage is greater than q^ n ~^ in the network coding 
scheme. On the other hand, in the secret sharing scheme, the 
possible information leakage is given as an observation of p. 
shares among n shares, the number is which grows up only 
polynomially of n with a fixed yu. Therefore, the universal code 
in the network coding scheme has to satisfy the universality 
under much more choices of eavesdropper than that in the 
ramp secret sharing scheme J5], ll35l . 

D. Universally strongly secure networking code 

Next, using the above discussion, we show the existence of 
universally strongly secure networking code. Due to ([Tot , the 
probability of L satisfying Eqs. (O and ([8]l simultaneously for 
all possible B is at least 



1 -2x(2 r -1) Xnq^~ /Ci. 



(11) 



Recall that chosen L is part of protocol specification and re- 
peatedly used. Because Eqs. (|3), ([8]l and (fTTT i are independent 
of realization of the random variable S representing secret 
information, Eqs. © and <[8J are satisfied in every repeated 
use of L with probability at least Eq. (fTTT i. 

The upper bound (|6]l can go to either zero or oo as m — > oo. 
When the upper bound © goes to oo, the information leakage 
to Eve grows linearly with m and its growth rate with m 
will be analyzed by Eq. (8). Firstly, we need to clarify under 
what condition Eq. © converges to zero as m —> oo. To do 
so, we shall introduce a version of conditional Renyi entropy 
introduced in |23|. There seems to be no standard definition 
for the conditional Renyi entropy, for example, definitions in 
12 and ||2TI disagree and our definition in ll23ll is different 
from 12, IF2TI . For discrete random variables X, Y, define 
conditional Renyi entropy of order 1 + p as 

log E[P xlY (X\Y)P] 

H 1+p (X\Y) = 2 . 

P 

For p = 0, we define H\{X\Y) as lim p ^o H 1+p (X\Y). By using 
l'Hopital's rule we see that H\{X\Y) is equal to the conditional 
Shannon entropy. Observe also that H\ +p (X\Y) = log^ \X\ if X 



is conditionally uniform given Y, where X denotes the alphabet 
of X. 

In order to clarify under what condition Eq. © converges to 
zero, we need to assume some knowledge on Ps T \s T (Sj\S j). 
We consider the situation in which each message S , originates 
from a different organization and it is compressed before 
network coded. Under such situation, we assume that Sj is 
nearly conditionally uniform given S j. Let 6 P be a nonnegative 
constant such that 

kj Hi +p (Sj\Sj) 



<6 D 



(12) 



m m\nq 

for some < p < 1, for all J, and for sufficiently large m. 
Observe that if all messages 5,'s are uniform and independent 
then 5 P = 0. The parameter 6 P captures the deviation from 
the uniform and independent situation in terms of conditional 
Renyi entropy per the number m of symbols in single packet. 
By taking the natural logarithm of Eq. ©, we see 

In [RHS of Eq. ©] 

Cl , , lnEr/^CSjISxyi 

= In h mp(pi In q H ) 

p mp 

(*) 



- In h mp(/i ) In q. 

p m 



(13) 



When 



ki 

yu < (n )• 

m 



kj 

dp i.e. — <n-p-5p, (14) 
m 



(*) in Eq. dT3l l becomes negative by Eq. ( fT2b . Under such 
condition Eq. dT3l > converges to -00 as m — » 00, which means 
that the upper bound Eq. © can be made arbitrary small by 
letting m be large. 

Secondly, we shall analyze how much information Eve can 
gain when Eq. (TBI) does not hold. In such case we use the 
other upper bound Eq. ®. We can rewrite Eq. ([8]) as 



RHS of Eq. © 
1 + In Ci 



mp 
1 +lnd 

mp 



+ ji In q ■ 



Hi +p (Sj\S j) 



+ Qi-(n- — - 6 P )) \nq (by Eq. 



We see that we can make the upper bound Eq. ^ on 



I(Si;BLS'\L=e) 



arbitrary close to 



(fi + 8 p -(n ))ln<? 



(15) 



by letting m be large. 

By the above modified construction and evaluation of mu- 
tual information, we provide a universal (&7- + i/;7j-5 p )-strongly 
secure network coding in the sense of Definition [3] with the 
zero mutual information requirement in Eq. (f2]) replaced by 
arbitrary small one (see also Remark [8]). 

Remark 7: The meaning of C\ is as follows: At Eqs. (O 
and ©, there might not exist a realization t of L that satisfies 
Eqs. (0| and (O for all subsets J of {1, . . . , T] simultaneously. 
By sacrificing the tightness of the upper bounds, we ensure the 
existence of (, satisfying Eqs. (O and (|7]) for all I. 
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Remark 8: Under the assumption that all messages Si, .. ., 
St+\ are uniform and independent, the mutual information can 
be made exactly zero for every eavesdropping matrix B. The 
reason is as follows: For fixed B and L — {, we have 

I(S T ; BLS'\L = €) = H(S i\L = I) - H(S T \BLS', L = I). (16) 

The first term H(S j\L = I) is an integer multiple of Inq since 
S i is assumed to have the uniform distribution. Let ai be 
the projection from FlLV F? to Hieing for * J c {1, 
. . . , T). For fixed B and t, and a given realization z of 
BIS', the set of solutions s such that z - Bis is written as 
ker(B{)+ some vector v. This means that the set of possible 
candidates of Sj given realization z of BtS' is written as 
aj(ksi(Bf)) + aj(v), and S j given realization z is uniformly 
distributed on aj(ker{B{)) + aj{v). Since the cardinality of 
aj(ker(Bf)) + aj(v) is independent of £S' for fixed B and 
{, the second term H(S i\BLS', L = I) is also an integer 
multiple of \nq. Therefore, if Eq. © holds for every B as 
verified in Eq. (fTTT i and the RHS of Eq. (O is < \nq, then 
the LHS of Eq. © must be zero. Observe that under this 
assumption our modified construction is a universal kr+i/m- 
strongly secure network coding in the exact sense of Definition 
13 The parameter kr+i/m is optimal according to JH). 

E. Numerical example of explicit computation of required 
block size m 

In this section we give a numerical example of computing 
required block length m in order to ensure the mutual infor- 
mation is below some value. In order to do so, we need an 
estimate of E[Ps-\s T (Sj\S j) p ]. We assume to have ^0.5 = 0.5 
in Eq. fl3 at p = 0.5. 

Let q = 256, n = 10, p = 3, T = 5, k; = 2m for all i. We 
do not have Sj+\- We want to ensure that we choose I with 
probability at least 1-10 12 such that KSr, BLS'\L = €) < 10~ 6 
for all i = 1, . . . , 5. By Eq. (fTTT i we choose C\ as 

2xnq^(2 T - 1)/Cj = 10~ 12 
» Ci =2x 10x256 ll2/4 (2 r - 1)10 12 

By using 6 P , we can upper bound the RHS of Eq. (O as 
follows: 

dq'^ElPs^ASjlSiri/p 
= C\ ex P«('«P(^ + 1 )/p 

" mmq 
< Ci exp q (mp(p -n + k T /m + <? p ))/p (by Eq. (0X17) 

In order to keep the above upper bound to be below 10~ 6 we 
have to choose 



C\ exp q (mp(p - n + kj/m + 6 p ))/p < 10 
log ? (10 6 d/p) 
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<=> m > - 



<=> m > - 



p(p -11 + kj/m + 6 P ) 

log 256 (10 6 x 2 x 10 x 256 I21/4 (2 5 - l)10 12 /0.5) 



0.5(3-10 + 2 + 0.5) 



m > 17.3373 



is implementable. Recall that we assumed n — 10 outgoing 
(logical) links from the source node and that each outgoing 
link carries m = 18 symbols in single coding block in this 
example. 

Remark 9: A vector in F™ can be identified with an 
element in F^™, and multiplication by a nonzero element in 
Fa*.* is an F 9 -linear mapping and can be identified with an 
element in X- Let Xf ™ be a commutative subgroup of X. 
whose elements can be identified with nonzero elements in 
F f/ .™. By looking at the proof of Lemma [5] in Appendix 151 we 
can see that _£f,,™ can be used in place of X. in our modified 
construction. Necessary storage space to record choice of an 
element in Xf,™ is that of mn ¥ q symbols and is smaller than 
that of £,. Matrix multiplication by an element in Xf,™ is at 
least as fast as that in X- 



IV. Conclusion 

In the secure network coding, there was loss of information 
rate due to inclusion of random bits at the source node. Weakly 
and strongly secure network coding El, Q, 11221 . OTTl remove 
that loss of information rate by using multiple messages to 
be kept secret from an eavesdropper, which require huge 
computational complexity in code construction or huge finite 
field size. In addition to this, the previous studies assumed 
uniform and independent multiple messages, which seems too 
strong assumption in practice. In this paper, we have shown 
that random linear transform of multiple messages at the 
source node realizes the strongly secure network coding with 
arbitrary high probability with sufficiently large block length. 
We did not assume uniformity nor independence in multiple 
messages. Our numerical example in Section llll-El showed that 
"sufficiently large block length" can be small. 

Appendix A 
Proof of Proposition^ 

In order to show Proposition HI we introduce the following 
lemma. 

Lemma 10: Under the same assumption as Proposition |U 
we have 

E f [ e xv(-pH(F(A 1 )\A 2 ,F = /))] < |^ 3 r + EiPA^iA^f] 

(18) 

for <p < 1. 

Proof of Proposition [4} 

E / [exp(p/(F(A 1 );A 2 | J F=/))] 

= E f [txp(pH(F(Ai)\F = f)-pH(F(A x ),A 2 \F = /))] 

< E f [\m p ^V(-pH{F(A l ),A 2 \F = /))] 

< W(l^ 3 r + E[P AllA2 (A 1 \A 2 y]) (by Eq. d) 

■ 

Proof of Lemma [TU[ Fix a 2 e tfti- The concavity of xf 
for < p < 1 implies 



This means that we can choose m = 18 and should choose 
the matrix L at least as large as 180 x 180 over F256, which 
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= ^ P Al \A 2 (ai\a 2 )Ef[ p A,|A 2 (fl'i|fl2)] P 

ai&Tli a\ef- 1 (fiat)) 



a'. £/-'(/(«!» 



(**) 



For a fixed realization 02 of A 2 , by the assumption in Propo- 
sition [4] two random variables F and Ai are statistically 
independent, which implies the distribution of / in (**) is 
independent of a.\. Since / is chosen from a family of two- 
universal hash functions defined in Definition [1] we have 

, . „ , . . y^ 1 P A x \A,(fl\\ai) 
(**)<P Al |A 2 (ai|a2)+ 2j 



<P AMl {a l \a 2 ) + \ft 



- 1 



1^3 



Since any two positive numbers x andy satisfy (x+y) p < x p +y p 
for < p < 1 , we have 

(P AM2 ( ai \a 2 ) + l^rV < P AAA2 (ai\a2Y + W- (20) 
By Eqs. ( [T9| > and ( f20b we can see 



Taking the average over A 2 of the both sides of the last 
equation, we have 



E / [E AlA2 [ J P /(Al) | A2 (/(A 1 )|A 2 )' 5 ]] < E AlAa [P AliAa (Ai\A 2 r]+[9l 3 



p 
(21) 

Define g(p) = E AlA ,[P /(Al )| A ,(/(Ai)A2) p ] as a function of p 
with fixed / and P AlAl , and h(p) = \ng(p). We have 

g'(p) = E AlAl [P nAlMl {f{A x )\A 2 y In /'/(A 1 )lA J (/(Ai)lA 2 )] > 
g"(p) = EA^JP^oi^CAAOIAzfan^.^^AOIAz)) 2 ], 
ft'(p) = g'(fi)/g(p), 

g"(p)g(p) ~ [g'(p)l 2 



h"(p) 



8(P) 2 



Define (A' p A' 2 ) to be the random variables that have the same 
joint distribution as (Ai,A2) and statistically independent of 
A\ and A2. To examine the sign of h"(p) we compute 

g"(p)g(p) ~ Ig'ip)] 2 

= E AlA2A; ^[P /(<il)A2 (/(A 1 ),A 2 y , P /(Al)A2 (/(A' 1 ),A^ 

{(In (/(AOIA2)) 2 

-lnP /(Al) | A2 (A I |A2)lnP /(Al)|A2 (A' 1 |A^)}] 

= iE AlA2A;A2 [P /(Al)A2 Cf(A 1 ),A 2 yf /(Al)A2 C/(A' 1 ),A 2 y ) 

{(In ^/( Al )|A 2 (/(Ai)|A 2 )) 2 + (In 
-21nP /(Al) | A2 (/(A 1 )|A 2 )lnP /(Al) | A2 (/(A' 1 )|A 2 )}] 

= iE AlA2A ; A -[ J P /(Al)A2 (/(A 1 ),A 2 rP /( A l) A 2 (/(A' 1 ),A 2 r 
{In Pf^AjfiA^) - lnP /(Al) | A2 (/(A;)|A 2 )} 2 ] 

> 0. 

This means that h"{p) > and h{p) is convex. We can see 
E AlA2 [P /(Al) | A2 (/(A I )|A 2 r] = exp(/z(p)) 



By Eqs. (ED and 



> exp( h(0) +ph'(0)) 

=0 

= exp(-pH(/(A 1 )|A 2 )). 
we see that Eq. ([T8T > holds. 



(22) 



Appendix B 
Proof of Lemma[5] 

We shall prove Lemma [5] in this Appendix. Let £ be a 
subgroup of the group of all bijective linear maps on F™". For 
x e F™", the orbit O(x) of x under the action of £ is defined 

y 

by 

O(x) - {Lx I L e £}. 



Lemma 11: Let x, y be two different vectors belonging to 
0(z). We have 

\{L€£\L?=x)\ = \{L€£\L?=n- 
Proof: Let K e £ such that iSTJ? = y. We have 

\{Le£\L?=x)\ 
= \{Le£\Ktf= Kx)\ 
= \{L€£\KLi=fi\ 
= |{LeX|L?=y}|. 

■ 

Lemma 12: Let B be an mp x ran matrix, ker(fi) - {x e 
F™ I Bx = 0}, and im(fi) = {Bi | 1 e F™}. The family 
of functions {BL L e X) with uniformly distributed L is a 
family of two-universal hash functions from F™' to im(B) if 
and only if 

\0(v) n ker(B)| 1 



|im(B)| 



for all v E F'™ \ {0}. 

Proof: With the uniform distribution on X, LHS of Eq. 
<£XJ is equal to 

|{L e £ I BLj?! = BLx 2 }\ 



IXI 

|{L e X I fiL(4 - f 2 ) = 0)1 
IXI 

10- e £ I LOft - f 2 ) e ker(fi)}| 
1X1 

|{L e £ I L(f! - f 2 ) 6 0(4 - 4) n ker(g)}| 

|{L e £ I L(fi - f 2 ) e 0(4 - f 2 )}| 
|0(fi - j? 2 ) n ker(B)| 



|0(4 - x 2 ) 



(by Lemma ITTb. 



Renaming x\ - x 2 to v proves the lemma. ■ 
Proposition 13: If X is the set of all bijective linear maps 
on F™, then {BL \ L e £} with uniformly distributed L is a 
family of two-universal hash functions from F™ to im(B). 

Proq/: For a nonzero v e F™, we have O(v^) = F™ \ {0}, 
which implies 

\<M\ = |F™| - 1, 



s 



ipmni 

|0(?)nker(B)| = — I— -1. 

|im(B)| 

By Lemma Q~2] we can see that the proposition is true. ■ 
Proof of Lemma\5\ Lemma[5]is equivalent to Proposition 

na ■ 
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